Akeyless SCP

Akeyless SCP enables secure copy via Secure Remote Access Bastion.



Akeyless SCP currently supports only UNIX-like OS.



  1. Download Akeyless SCP script:
curl -o akeyless-scp https://download.akeyless.io/Akeyless_Artifacts/Linux/SSH/akeyless-scp
chmod +x akeyless-scp
mv akeyless-scp /usr/local/bin
  1. Create a resource file called ~/.akeyless-connect.rc as follows:
# ---------------------------------------------------------------------
# Copyright © 2019-2023  Akeyless Security LTD.
# All rights reserved
# ----------------------------------------------------------------------

# This file is a user-specific configuration file for `akeyless connect` CLI command, part of Akeyless Secure Remote Access
# This file should be located under the user's home directory, named explicitly: .akeyless-connect.rc

# IDENTITY_FILE - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)

# CERT_ISSUER_NAME - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session

# AKEYLESS_PROFILE - Akeyless CLI profile to be used

# Akeyless CLI binary (if needed)

# AKEYLESS_GW_REST_API - URL for Akeyless API Gateway (RestAPI)

# Following are used for control service, to configure the temporary session:

# Allow caching of temp session creds

# Display connection stages

# Use SSH Agent to store user's identity keys.


# Path to SSH executable. e.g. /usr/bin/ssh

The latest version of this file can be found in Akeyless official artifacts.

Edit the settings as follows:

IDENTITY_FILE - Default is ~/.ssh/id_rsa. Full path to the private key to be signed and used for the Zero Trust session.

CERT_ISSUER_NAME - Full path to the Akeyless SSH Certificates Issuer item.

AKEYLESS_PROFILE - Set the default profile that will be used from your Akeyless Command Line Interface (CLI). By default, it's using the default profile of your Akeyless CLI.

AKEYLESS_CLI - Akeyless CLI binary (if needed).

AKEYLESS_GW_REST_API - Set your Akeyless Gateway URL on port 8080 for Zero-Knowledge items and for internal network access.

BASTION_API_PROTO - Default is http. Set to https when your Secure Remote Access Bastion is configured with TLS.

BASTION_API_PORT - Default is set to 9900. Set your matching ssh-sra cluster service port.

BASTION_SSH_PORT - Default is set to 22. Set your matching ssh-sra cluster service port.

Optional when working with Application Load Balancers, you can set the exact path of your ssh-sra service, which listens to the bastion api control port:

BASTION_API_PREFIX - Set your path prefix as your load balancer settings.

BASTION_API_PATH - Set your path as your load balancer settings.

Where the URL will be set as follow:


SSH_EXTRA_ARGS - Add any official SSH arguments.

  1. Use the akeyless-scp command to perform secure copy to remote target server via Akeyless Secure Remote Access Bastion:

Full options list:

Usage: /usr/local/bin/akeyless-scp <user@remote-server[:port]> -v <bastion-server[:port]> [options]

optional arguments:
    -i, --identity_file     Selects a file from which the identity (private key) for public key authentication is read [default is '~/.ssh/id_rsa']
    -c, --cert-issuer-name  Akeyless certificate issuer name [mandatory]
    -l, --local-file        File to copy [mandatory]
    -r, --remote-file       File to copy [default is '~/']
    -d, --direction         Transfer direction, can be: upload/download [default is 'upload']
    --profile               Use a specific profile from your Akeyless CLI
    --ssh-extra-args        Use to add official SSH arguments (except -i)

For example, this command will copy a local file to a remote server.

akeyless-scp user@destination-server -v <sra-bastion-ssh-service> --local-file /full/local/location/file --remote-file /remote/location/file

Working With SSH Keys

When the remote host doesn’t support SSH Certificates, you can still work with Akeyless SCP utilizing SSH Keys where the relevant private key is stored as a Static Secret within Akeyless, where the connection from the client to the Akeyless Bastion is established over short-lived SSH certificate, and from the Akeyless Bastion, the connection is established over SSH using keys, for example:

akeyless-scp <username>@<target-host> -v <sra-bastion-ssh-service> --local-file demo_file --remote-file /home/ubuntu/demo_file --name "/path/to/static-secret-of-ssh_private_key"

The --name should point to a static secret in Akeyless holding the SSH private key. Users should have only list permission on this item, while the Bastion should have read permission.

In that case, a tunnel will be established, and the Akeyless Bastions will fetch the key and allow the client to use it without exposing it to them.